Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems.

This entails the abuse of CVE-2022–46169 (CVSS score: 9.8) and CVE-2021–35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week.

CVE-2022–46169 relates to a critical authentication bypass and command injection flaw in Cacti servers that allows an unauthenticated user to execute arbitrary code. CVE-2021–35394 also concerns an arbitrary command injection vulnerability impacting the Realtek Jungle SDK that was patched in 2021.